Threats 101
The Barkly Team
May 2017

Polymorphic Malware: How to Spot and Stop this Shapeshifting Menace

polymorphic malware.jpg

The prolific adoption of polymorphic techniques means the vast majority of malware is unique to each victim. That poses a serious problem for traditional endpoint security solutions — they can't stop what they've never seen before.

Traditional endpoint security has been a high-stakes game of whack-a-mole: attackers create new malware, anti-virus vendors create new signatures to block it, and attackers respond by creating more malware.

As global networks and computing power have expanded rapidly over the last decade, malware authors soon realized that speed and volume were their secret weapon. In order to succeed, all they needed to do was create more malware at a faster pace to stay ahead of signature-based detection.

And, that’s exactly what they have done, churning out new malware at an almost unbelievable pace. In 2013, 82 percent of malware was cycled out after just one hour, and 70 percent was seen only once before being replacing with a new variation. Just three years later, 99 percent of malware is seen for less than one minute before a new sample takes its place.


In 2013, 82 percent of malware was cycled out within one hour / FireEye


In 2016, 99 percent of malware was cycled out within one minute / Verizon 2016 DBIR

The ramp up in volume has been equally staggering. Back in 2005, Panda Software was discovering a new strain of malware every 12 minutes. By 2016, McAfee was finding 4 per second.

And, that’s just the malware that could be detected, to say nothing of the malware that might have slipped through the cracks. Which raises a critical point: the avalanche of malware proves not only that hackers have become increasingly sophisticated in their speed and efficiency, but also that it’s virtually impossible for conventional signature-based antivirus to keep pace.

Clearly it’s time for a new approach, one that doesn't have to reactively chase down every new piece of malware that gets created. But first, let’s get a better handle on exactly how we got in this position, and how this fast-moving malware comes to life in the first place.

What is Polymorphic Malware?

If you’re wondering exactly how hackers manage to create so much new malware so quickly part of the answer is they don’t, or at least not directly. Instead, many use a dangerously efficient technique called polymorphic replication to do the dirty work for them.

Polymorphic malware is an intrusive code that mutates quickly, spinning off countless variations of itself. Each new iteration features a slight change or changes to its file attributes in order to evade signature-matching detection, such as a new filename, compression signature, or variable encryption keys. While these characteristics may change with each new variant, the basic malicious functionality remains the same.

The technique has become so popular that 97 percent of malware infections now employ polymorphic techniques, making them exceptionally hard to detect by traditional AV means.

The Many Faces of Polymorphic Malware

Here are just a few examples of this shapeshifting malware that have wreaked havoc on enterprise operations:

Storm Worm

Taking its name from its ominous subject line, “230 dead as storm batters Europe,” Storm Worm arrived in 2007 as an email attachment that, when opened, installed wincom32 service and a Trojan, turning the receiving computer into a bot. The compromised machine in turn churned out a new variant of the malware at a pace of about one every 30 minutes.

The result: in it’s prime, Storm Worm was credited with causing up to 8 percent of all global malware infections.


One of the most notorious ransomware families, Cryptowall reached peak activity in 2015, when researchers discovered over 4,000 samples of the malware being spread via phishing emails and exploit kits. It's estimated that one particular version of the ransomware, CryptoWall 3.0, cost victims an astounding $325 million in Bitcoin in 2015 alone.


Virlock ransomware stands out in multiple ways. First, it's parasitic, meaning that in addition to encrypting files, it actually infects them so that each time a user attempts to open one of them, the infection process starts back up all over again. As a result, victims need to take special care in ensuring their machines are wiped clean and that any shared network drives are free of infected files, as well.

Secondly, Virlock employs what researcher Raul Alvarez at Fortinet describes as an "on-demand polymorphic algorithm." When Virlock arrives on a victim's machine, it's payload is encrypted to avoid detection. As part of its infection process, it only decrypts specific pieces of code that it needs at any given moment, then encrypts them back using a different encryption key.

As Alvarez notes, "the longer Virlock uses this code, and its continuing series of decryption and encryption patterns, the malware in memory will look completely different from the original encrypted copy before it was loaded in memory."

This helps Virlock evade AV detection as it spreads, and it makes it extremely difficult and time-consuming for researchers to fully analyze its code.

Shutting Down the Shapeshifters

Due in large part to these polymorphic techniques, more than 390,000 new variations of malware are detected every day. And, because polymorphic signatures and code change continuously, it’s pretty clear that the typical AV protocol — adding newly detected signatures to a blacklist — simply cannot keep pace, especially when it comes to on-demand polymorphs like Virlock.

However, while the signatures and code of polymorphic variants may change, one thing does not: their functionality. Once the malware lands on a device, it still behaves the same way. And that’s exactly where detection efforts should focus — on identifying and blocking the behaviors that malware exhibit and rely on to execute.

In other words, the identifying hallmark of malware isn’t its signature (which can change rapidly), but its behavior once it’s found a target.

That’s where runtime malware defense (RMD) comes in. By monitoring system activity in real-time to spot common malware behaviors, Barkly’s RMD can block attacks that can’t be detected by conventional protection that looks at file attributes alone.

With Barkly's RMD, you can gain an essential last line of defense that blocks attacks, even when they do get past vigilant users and AV.

Learn more about how Barkly blocks what AV can’t.

The Barkly Team

The Barkly Team

Providing the latest security alerts and updates with context that makes them useful.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.